In "Get Inside Active Directory Connector Synchronization," February 2006, InstantDoc ID 48589, I outline some of the mechanisms the Active Directory Connector (ADC) uses to synchronize hidden objects, distribution lists (DLs) with hidden membership, and connection agreement (CA) authentication and credential handling. Once you understand the ADC's internal operation and how it processes objects during synchronization, you can fine-tune the ADC to improve synchronization in your environment.
Determining Which Objects to Synchronize
The ADC uses update sequence numbers (USNs) to control synchronization between the Exchange Server 5.5 Directory Service (DS) and Active Directory (AD), much like Exchange 5.5 uses USNs to control intrasite and intersite replication. Each CA uses the value of two attributes—msExch-Server1HighestUSN and msExch-Server2HighestUSN—to control synchronization from AD to the DS and from the DS to AD, respectively. These attributes are properties of the CA.
To get an idea of how these attributes work, let's consider DS-to-AD synchronization, which uses the msExchServer2HighestUSN attribute. During the initial DS-to-AD synchronization, the ADC sets the CA's ms-ExchServer2HighestUSN attribute value to the value of the highest USN encountered and synchronized on any object in the source DS. (A new CA's msExchServer2HighestUSN attribute is set to 0.) During each subsequent synchronization, the ADC obtains the CA's msExchServer2HighestUSN attribute value (which was set during the previous synchronization cycle), then searches the DS for objects that have a USN-Changed attribute value that's higher than the current msExchServer2HighestUSN value. Thus the ADC selects for synchronization all objects that have changed since the previous synchronization. After synchronizing these objects, the ADC writes the highest encountered USN-Changed value to the CA's msExch-Server2HighestUSN attribute. This value then becomes the high-water mark for the next synchronization cycle. When you make a change to objects in a directory, the ADC replicates the change.
To prevent the ADC from resynchronizing objects that were previously synchronized to the DS from AD, the ADC also looks at changed objects' Replication-Signature and Object-Version attributes. Each CA has a signature that the ADC defines during CA configuration. As the ADC synchronizes AD objects to the DS, it writes the CA's signature into the newly created DS object's Replication-Signature attribute. The ADC also sets or modifies DS objects' Object-Version attribute. This attribute is set to 1 when an object is first created and incremented by 1 during each modification. The Object-Version attribute's value then writes to the Replicated-Object-Version attribute during modification. Therefore, an object's Object-Version and Replicated-Object-Version attributes' values will be identical just after AD-to-DS replication. When an object's Replication-Signature value matches the CA's signature and its Object-Version value is equal to or less than the Replicated-Object-Version value, the ADC excludes the object from the DS-to-AD synchronization.
The synchronization process from AD to the DS is similar (with the exception that AD-to-DS synchronization uses the msExchServer1-HighestUSN attribute instead of the msExchServer2HighestUSN attribute) because AD objects use USN values to perform intrasite and intersite AD synchronization. AD-to-DS synchronization is slightly more complicated than DS-to-AD synchronization because AD uses attribute-based replication instead of object-based replication. Therefore, in addition to using USN values, the ADC uses the sum of each AD object's attribute versions during AD-to-DS synchronization.
ADC Block Searching
During an initial synchronization between AD and the DS, the ADC might select many thousands of objects for synchronization, depending on the number of objects defined in the source DSs. For example, in a large AD implementation with 100,000 defined objects, all 100,000 objects must be synchronized during the initial synchronization or a complete resynchronization. If an external factor such as a network-link failure or remote-system power failure interrupts the synchronization process, synchronization must restart from the beginning.
To prevent unnecessary data resynchronization, the ADC processes objects in groups of 10,000. The ADC searches the DS to determine the value of the highest USN-Changed attribute associated with an object. The first synchronization attempt processes only objects whose USN-Changed attribute has a value between the current value of msExchServer1HighestUSN and msExchServer1HighestUSN+10000 (or the highest determined USN-Changed value). After the changed objects in this range are processed and committed to the DS, msExch-Server1HighestUSN is incremented by 10,000. If the msExchServer1HighestUSN attribute's new value is less than the highest determined USN-Changed value, the ADC processes the next batch of AD objects. This procedure continues until all eligible objects are processed and the highest USN-Changed value writes to the msExchServer1HighestUSN attribute. If a failure occurs during synchronization, only a batch of 10,000 objects must reprocess.
Committing ADC Changes to AD
The ADC caches significant amounts of information to improve performance. For example, the ADC caches msExch-Server1HighestUSN and msExch-Server2HighestUSN, writing them directly to AD only occasionally. Updates to these attributes after a synchronization cycle or search block (as I describe in the previous section) apply only to the memory-resident versions.
In general, the msExchServer1-HighestUSN and msExchServer2-HighestUSN values write to AD every 24 hours. For new CAs, updates to these attributes commit to AD every 30 minutes. (A new CA is a CA that's executing its first synchronization cycle, which typically takes an extended period of time, depending on factors such as network bandwidth and DS and AD system performance.) New CAs' msExchServer1HighestUSN and msExchServer2HighestUSN attributes commit frequently because of the large amount of data that typically synchronizes soon after a CA's initial configuration. If a system failure occurs on the ADC server, the maximum amount of resynchronization work that results is limited to 30 minutes. Immediate updates to AD occur when the ADC service is stopped, at the end of a CA's first synchronization cycle, and when a CA moves from one ADC server to another.
A CA's vector attributes are also important to AD synchronization. The msExchServer2HighestUSNVector attribute isn't used, but the ADC populates and uses the msExchServer1-HighestUSNVector attribute. The msExchServer1HighestUSNVector attribute is multivalued and relevant only on Windows Server 2003 or Windows 2000 Server systems. This attribute has the highest committed USN for any domain controllers (DCs) contacted during a CA's lifetime. For example, if you configure a CA to synchronize from a DC named CTZDC01, then modify the configuration so that synchronization occurs from a DC named CTZDC02, you'll see two values for the msExchServer1Highest-USNVector attribute: one relating to the highest committed USN on CTZDC01 and the other for the highest committed USN on CTZDC02. The ADC stores this information so that no objects are missed when a CA rehomes to another ADC.
Previous
Register
